- OpenSea suffers front-end attack and hacker gains $800k.
- A bug in the front end of the popular nonfungible token (NFT) marketplace OpenSea has resulted in an exploit that allows users to buy popular NFTs at their previous listing price.
- The bug appears to be prevalent with Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT collectibles.
- BAYC #9991, BAYC #8924, and MAYC #4986 are among the affected NFTs.
According to PeckShield, the first to notice the attack, OpenSea has been the victim of a front-end attack, resulting in a loss of 332 ETH (Approx $800k). According to reports, a bug in the front end of the popular nonfungible token (NFT) marketplace OpenSea has resulted in an exploit that allows users to buy popular NFTs at their previous listing price.
The bug appears to be prevalent with Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT collectables, where the exploiter could purchase them at their original listing then sell them for the current market price. BAYC #9991, BAYC #8924, and MAYC #4986 are affected NFTs. A user named jpegdegenlove is suspected of exploiting the current bug and has reportedly profited 332 Ether (ETH) ($754,000).
Blockchain data reveals that the wallet used to execute the attack received 10 ETH from the anonymous wallet service, TornadoCash. Next, the received ETH was wrapped to wETH to be used for the attack on OpenSea, which netted the hacker 332 ETH. The NFTs were immediately sold for a profit to the hackers. OpenSea has not yet provided an update on this development.
An earlier exploit on December 31st saw a similar scenario. A bug appears to arise from transferring assets from the OpenSea wallet to another wallet without cancelling the listing. According to one Twitter user, when a user lists their collectable for auction on the OpenSea and decides to cancel it for some reason, the marketplace charges a significant fee, and the floor price of the collectable also decreases.
Users found a way around it, and instead of cancelling their sale, they transferred their asset to a different wallet which automatically removed the listing from OpenSea. However, the bug keeps the listing active through OpenSea’s API. In addition, users can check Rarible, another NFT marketplace that uses OpenSea’s API, to see if their listing has been removed. The user reported the bug after the December incident, but no action was taken to address it.
The same Twitter user commented on today’s incident by clarifying things. According to the Twitter user, today’s Thread OS doesn’t charge a delisting fee. It’s the cost of gas to remove the listing from the blockchain. Therefore, OS is not pocketing ETH to delist an item. This applies to any transfer. If it leaves the wallet with a listing then returns to the wallet before that listing has expired or been cancelled, the listing will still be active. Transfers, sales, and staking all apply.
The old listing still exists on the blockchain. Rarible was only displaying it, which made it easy to access. Rarible no longer displays the listings, but they still exist until they expire or are cancelled. This is not a bug, per se, on OS’s part. The issue is that it is nowhere apparent for an NFT holder to see these listings to cancel them. IMHO the prominent place they should be displayed is where the holder created the listing on OS. It has to be the same wallet, same NFT. Something you bought won’t have the previous owner’s listings active for you.